#
# $FreeBSD: head/etc/pam.d/login 170510 2007-06-10 18:57:20Z yar $
#
# PAM configuration for the "login" service
#
<%
        def safe_call(*args):
            try:
                val = client.call(*args)
            except:
                val = False
            return val

        ad_enabled = safe_call('notifier.common', 'system', 'activedirectory_enabled')
        dc_enabled = safe_call('notifier.common', 'system', 'domaincontroller_enabled')
        ldap_enabled = safe_call('notifier.common', 'system', 'ldap_enabled')
%>

# auth
auth		sufficient	pam_self.so		no_warn
% if ad_enabled or dc_enabled:
auth		sufficient	/usr/local/lib/pam_winbind.so silent try_first_pass krb5_auth krb5_ccache_type=FILE
% endif
% if ldap_enabled:
auth		sufficient	/usr/local/lib/pam_sss.so
% endif
auth		include		system

# account
account		requisite	pam_securetty.so
account		required	pam_nologin.so
% if ad_enabled or dc_enabled:
account		sufficient	/usr/local/lib/pam_winbind.so krb5_auth krb5_ccache_type=FILE
% endif
% if ldap_enabled:
account		sufficient	/usr/local/lib/pam_sss.so
% endif
account		include		system

# session
session		include		system

# password
password	include		system
